Re: How to tell if a firewall alert is suspicious or not
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: Thu, 22 Sep 2005 21:42:15 -0400
"Michelle Peters" <firstname.lastname@example.org> wrote in message
> On Sun, 18 Sep 2005 23:25:47 GMT, Milrose Lewis wrote:
> > NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
> > Request) packet to [126.96.36.199].
> > Do you want to allow this program to access the network?
> That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM!
> You have BIG PROBLEMS if that is occurring.
Hmm... you might be right. That IP address appears to be in Japan and
appears to have no DNS name. Is there any reason your machine should have
been contacting Japan at that moment? [Doing a whois lookup of the IP
address at www.netsol.com, which tells you to do a whois lookup at
www.apnic.net, gives this information.]